I've been upgrading my script to use bcrypt for authentication and I cannot get it to work. Here's some sample code I have.
<?php
require '../functions/config.php.inc';
if ($_POST[login]) {
$username = mysql_real_escape_string($_POST['username']);
$typedpass = mysql_real_escape_string($_POST['password']);
$info = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
$data = mysql_fetch_array($info);
$storedpass = $data['password'];
//this code block is for stack overflow (it saves the entered password into a bcrypt hash then fetches the database row)
$darealhash = password_hash($typedpass, PASSWORD_DEFAULT)."
";
$result5 = mysql_query("UPDATE users SET password='$darealhash' WHERE username='$username'") or die(mysql_error());
$info = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
$data = mysql_fetch_array($info);
$storedpass = $data['password'];
print_r($data);echo "<hr>";
echo "darealhash is $darealhash // storedpass is $storedpass // username is $username<br>";
if(password_verify("$typedpass", $storedpass)){
echo "correct password";
} else {
echo "WRONG password!";
}
}
?>
<form method="POST">
<table border="0">
<tr>
<td>
Username: <br><input type="text" size="15" class="bigtext" maxlength="25" name="username">
</td>
</tr><tr>
<td>
Password: <br><input type="password" size="15" class="bigtext" maxlength="25" name="password">
</td>
</tr>
<tr><td align="right"> <input type="submit" name="login" class="bigbutton" value="Login"></td></tr>
</table></form>
</body>
</html>
What the code above does is save whatever password is being used in the login form to the database in a bcrypt hash, then the bcrypt hash in the database is compared against the plaintext enter of the password, and if correct it echoes "correct password" but it keeps echoing "wrong password" and I don't know why.
